Blossom (blossom.net) Logo

Blossom (blossom.net)

Compliance & Risk Manager

Posted Yesterday
Be an Early Applicant
Remote
Hiring Remotely in United States
95K-105K Annually
Mid level
Remote
Hiring Remotely in United States
95K-105K Annually
Mid level
Manage Blossom's compliance and risk programs: lead SOC 2 Type II and PCI DSS audit lifecycles, maintain ERM and risk register, coordinate remediation, embed compliance in product SDLC, run vendor risk assessments, oversee security awareness training, and report program status to the CFO.
The summary above was generated by AI

FLSA Classification: Exempt

Reports To: Chief Financial Officer (CFO)


Job Summary:

The Compliance & Risk Manager is responsible for managing and executing Blossom’s compliance and risk management programs. Reporting to the CFO, this role oversees day-to-day compliance operations across all regulatory, security, and audit functions—including SOC 2 Type II, PCI DSS, and all compliance obligations associated with Blossom’s hardware and software products while maintaining a risk management framework that identifies, tracks, and mitigates operational, financial, regulatory, and strategic risks. This role collaborates closely with Engineering, Product, Legal, HR, and Operations to support a culture of compliance and risk awareness across the organization. This role works in close partnership with the IT and Infrastructure function, which retains ownership of technical security controls, HSM/key management, and PCI Security; the Compliance & Risk Manager owns program management, audit coordination, the enterprise risk framework, and policy.


Supervisory Responsibilities:

  • Support the recruitment and onboarding of compliance and risk staff; provide day-to-day guidance and oversight to any direct reports within the function.


Duties/ Responsibilities:

Audit & Certification Management

  • Own the end-to-end SOC 2 Type II audit lifecycle: scope definition, control design, evidence collection, auditor coordination, and remediation tracking.

  • Lead PCI DSS compliance efforts across applicable business units, including scope management, gap assessments, and coordination with Qualified Security Assessors (QSAs).

  • Manage relationships with external auditors, assessors, and certification bodies; serve as primary point of contact during audit engagements.

  • Maintain a comprehensive controls inventory; ensure all controls are documented, tested, and operating effectively.

  • Track and manage audit findings and remediation plans through to closure in collaboration with control owners.

Enterprise Risk Management

  • Manage and maintain the enterprise risk management (ERM) framework, ensuring risks across operational, regulatory, financial, strategic, and technology domains are identified, assessed, prioritized, and tracked.

  • Maintain and update the company-wide risk register; coordinate with risk owners to ensure mitigation and remediation plans are tracked to resolution.

    • Conduct periodic enterprise risk assessments; summarize findings and risk trends for CFO review.

    • Collaborate with Product, Engineering, Finance, HR, and Operations to identify and flag risks associated with new initiatives, product launches, and process changes.

    • Support operational risk programs including business continuity planning (BCP), disaster recovery readiness, and incident response protocols in coordination with IT and Engineering.

    • Administer the third-party and vendor risk assessment process, evaluating vendors for security, financial stability, regulatory alignment, and contractual risk.

    • Monitor the evolving risk landscape—including emerging cyber threats, regulatory changes, and market developments—and flag potential impact to leadership.

    • Support the CFO in maintaining the company’s risk appetite and tolerance thresholds; help ensure business decisions align with established risk parameters.

    • Respond to credit union client risk and security due diligence requests, including vendor questionnaires and risk assessments.

    • Maintain required risk documentation including the risk register, risk appetite statements, and reporting artifacts in a manner that supports executive review and external audit.

Regulatory & Policy Compliance

  • Monitor and interpret federal, state, and credit union-specific regulatory requirements applicable to Blossom’s software and hardware products (e.g., NCUA guidance, FFIEC frameworks, GLBA, applicable state laws).

  • Maintain and update company-wide compliance policies, standards, and procedures; ensure alignment with regulatory requirements and industry best practices.

  • Conduct regular internal audits and control testing to evaluate compliance with applicable laws, regulations, and internal policies.

Hardware & Software Product Compliance

  • Ensure Blossom’s hardware and software products comply with applicable regulatory standards, including security and interoperability requirements for financial technology solutions used by credit unions.

  • Collaborate with Product and Engineering teams to embed security and compliance requirements into the SDLC and hardware release processes.

  • Advise on compliance and risk implications of new product features, APIs, and data integrations with credit union core systems and third-party platforms.

  • Ensure the organization meets all data privacy requirements, including applicable provisions of state privacy laws and any credit union member data obligations.

Security Awareness & Training Oversight

  • Partner with HR to support compliance training integration into onboarding and ongoing employee development.

  • Promote a compliance- and risk-aware culture by supporting cross-functional teams with guidance on regulatory obligations and risk.

Oversee training completion tracking across mandatory platforms (e.g., NINJIO, Udemy Business) and ensure role-specific training obligations are met, including Swipe team PCI requirements.

  • Develop and deliver compliance communications, training materials, and policy updates to employees across all departments.

  • Coordinate with HR and department heads to ensure annual policy acknowledgments and required compliance certifications are completed on schedule.

  • Own the enterprise Security Awareness Training program, ensuring compliance with PCI DSS Requirement and other applicable mandates.

Reporting & Executive Partnership

  • Serve as a key point of contact for compliance and risk-related questions and escalations across the organization.

  • Provide regular updates to the CFO on the status of the compliance and risk programs, including audit outcomes, risk register updates, and remediation progress.

  • Prepare compliance metrics, risk dashboards, and audit findings summaries for CFO and executive review.

  • Coordinate with external auditors, regulators, and credit union compliance and risk stakeholders as the day-to-day point of contact.

  • Identify and escalate emerging compliance and risk issues to the CFO, with recommended mitigation steps and timelines.

  • Collaborate with Legal, Finance, HR, and Operations to support alignment of the compliance and risk programs with company strategy and growth objectives.

  • Performs other related duties as assigned.


Required Skills/ Abilities:

  • Deep knowledge of SOC 2 Trust Services Criteria (TSC) and experience leading or managing SOC 2 Type II audit engagements from preparation through report issuance.

  • Working knowledge of PCI DSS requirements and experience applying them within a fintech, payments, or software organization.

  • Familiarity with financial services regulatory frameworks including FFIEC, GLBA, NCUA guidelines, and applicable state consumer protection and data privacy laws.

  • Experience developing, implementing, and managing enterprise compliance policies, procedures, risk registers, and controls inventories.

  • Demonstrated experience building or managing an enterprise risk management (ERM) framework, including risk registers, risk appetite statements, and risk reporting.

  • Strong organizational and project management skills; able to manage multiple compliance and risk workstreams simultaneously with attention to detail.

  • Exceptional written and verbal communication skills; able to translate complex regulatory requirements into clear, actionable guidance for technical and non-technical audiences.

  • Experience partnering with Engineering and Product teams to embed compliance into software and product development processes.

  • Comfort with GRC platforms and risk management tools (e.g., Drata, Vanta, LogicGate, ServiceNow GRC, or similar).

  • High integrity, strong judgment, and the ability to operate as a trusted advisor to senior leadership.

  • Ability to navigate ambiguity and execute within a fast-growing fintech environment with evolving compliance and risk needs.

  • Proficiency with Google Workspace or Microsoft 365 and standard business productivity tools.

Education and Experience:

  • Bachelor’s degree in Business, Finance, Legal Studies, Information Systems, or a related field required; Master’s degree a plus.

  • Minimum 4+ years of progressive experience in compliance, risk management, audit, or related fields; experience within fintech, payments, or financial services strongly preferred.

  • 2 or more years of hands-on experience with SOC 2 audits (as preparer, auditee, or program contributor); experience with PCI DSS compliance strongly preferred.

  • 2 or more years of experience in a compliance, risk, or audit role with increasing responsibility, preferably in a growth-stage or mid-market company.

  • Prior experience working with or supporting credit unions, community financial institutions, or regulated financial services clients strongly preferred.

  • Experience supporting fintech, SaaS, or B2B technology companies serving regulated industries is a plus.

  • Relevant professional certifications strongly preferred: CISA, CISM, CRISC, CCEP, CIPP, CFE, or equivalent.


Physical Requirements:

  • Prolonged periods sitting at a desk and working on a computer.

  • Must be able to lift up to 15 pounds at times.

What We Offer:

  • Health, fully covered: Company-paid medical, dental, and vision insurance.

  • Life & AD&D: Company-paid life and accidental death & dismemberment coverage.

  • Income protection: Company-paid short- and long-term disability.

  • 401(k) with match: Save for the long run, and we’ll match.

  • Remote allowance: Cell phone and internet connectivity expenses support.

  • Flexible spending: FSA and Dependent Care (DCSA) accounts to stretch your pre-tax dollars.

  • Unlimited PTO: Take the time you actually need.

  • Employee Assistance Program (EAP): Confidential support for life’s harder moments.

  • Supplemental coverage: Voluntary insurance options to round out your plan.

Similar Jobs

2 Days Ago
Remote or Hybrid
Los Angeles, CA, USA
140K-200K Annually
Senior level
140K-200K Annually
Senior level
AdTech • Cloud • Digital Media • Information Technology • News + Entertainment • App development
Lead a compliance and risk engineering pillar to design, deliver, and operate regulatory automation, AI/ML, and risk-control platforms. Own roadmap, reliability, incident and defect management, stakeholder communication with Legal/Cyber/Compliance, and hiring and growth of software and quality engineering teams across global jurisdictions.
Top Skills: Ai/MlData Governance PlatformsGrc PlatformsJIRAMiddlewareSaaSServicenow
4 Days Ago
Remote
United States
161K-217K Annually
Senior level
161K-217K Annually
Senior level
Artificial Intelligence • Cloud • Consumer Web • Productivity • Software • App development • Data Privacy
Lead design and implementation of compliance and risk programs across products, focusing on AI and cloud environments. Manage audits (SOC, ISO, HIPAA, PCI), drive automation and AI-enabled controls, perform gap assessments, collaborate with engineering/product teams, and advise on regulatory impact and remediation across jurisdictions.
Top Skills: Ai ToolsAi-Enabled Grc Automation ToolsCloud Computing
6 Days Ago
Easy Apply
Remote or Hybrid
14 Locations
Easy Apply
130K-180K Annually
Senior level
130K-180K Annually
Senior level
Automotive • Big Data • Insurance • Software • Transportation
The Senior Manager, GRC leads cybersecurity policies, audits, compliance frameworks, and risk governance. Collaborates with teams to enhance security integrity and compliance.
Top Skills: Compliance AutomationCybersecurityGenerative AiGrc FrameworksIso 27001Pci-DssSoc2Tisax

What you need to know about the Los Angeles Tech Scene

Los Angeles is a global leader in entertainment, so it’s no surprise that many of the biggest players in streaming, digital media and game development call the city home. But the city boasts plenty of non-entertainment innovation as well, with tech companies spanning verticals like AI, fintech, e-commerce and biotech. With major universities like Caltech, UCLA, USC and the nearby UC Irvine, the city has a steady supply of top-flight tech and engineering talent — not counting the graduates flocking to Los Angeles from across the world to enjoy its beaches, culture and year-round temperate climate.

Key Facts About Los Angeles Tech

  • Number of Tech Workers: 375,800; 5.5% of overall workforce (2024 CompTIA survey)
  • Major Tech Employers: Snap, Netflix, SpaceX, Disney, Google
  • Key Industries: Artificial intelligence, adtech, media, software, game development
  • Funding Landscape: $11.6 billion in venture capital funding in 2024 (Pitchbook)
  • Notable Investors: Strong Ventures, Fifth Wall, Upfront Ventures, Mucker Capital, Kittyhawk Ventures
  • Research Centers and Universities: California Institute of Technology, UCLA, University of Southern California, UC Irvine, Pepperdine, California Institute for Immunology and Immunotherapy, Center for Quantum Science and Engineering

Sign up now Access later

Create Free Account

Please log in or sign up to report this job.

Create Free Account